Details

Currently, you must enter the same user/password than the osCommerce scripts. Or you must force a fixed password in the server-side script. Or worst, you must disable authentication at all (which never should be done, excepting when debugging).

The server-side script doesn't really authenticates itself to MySQL using the credentials sent by the OSCPMWin application. Always use the connection data found in the configuration file of osCommerce. So, we have no way to authenticate with alternative credentials. (We authenticates the client just comparing salted hash the client sent with the salted hash of the osCommerce password).

I really don't think we should worry about this. There is no additional risks when using the same password than osCommerce. Because: the password is never sent in clear text, but salted and hashed, and the password used needs exactly the same permissions than the one used by osCommerce.